Skip to main content
VBVyBeing
Legal

Data Processing Agreement

Last updated: December 5, 2024

This Data Processing Agreement ("DPA") forms part of the Terms of Service between VyBeing Technologies Ltd. ("VyBeing", "Processor") and you ("Customer", "Controller") and governs the processing of personal data in accordance with Israeli privacy laws and the GDPR where applicable.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion
  • Controller: The entity that determines the purposes and means of processing (the Customer)
  • Processor: The entity that processes data on behalf of the Controller (VyBeing)
  • Sub-processor: Third-party processors engaged by VyBeing

2. Scope and Roles

Data Controller

The Customer acts as the Data Controller for employee and end-user data processed through the Service. The Customer determines the purposes and means of processing.

Data Processor

VyBeing acts as the Data Processor, processing personal data on behalf of the Customer in accordance with the Customer's documented instructions and this DPA.

3. Data Processing Principles

VyBeing will process personal data in accordance with:

  • Israeli Protection of Privacy Law, 5741-1981 and Amendment No. 13
  • EU General Data Protection Regulation (GDPR) where applicable
  • Customer's documented instructions
  • This DPA and the Terms of Service

Processing Instructions

  • VyBeing will process data only as instructed by the Customer
  • Processing is limited to what is necessary for providing the Service
  • VyBeing will not process data for its own purposes without consent
  • VyBeing will immediately inform Customer if instructions violate applicable law

4. Data Subject Rights

VyBeing will assist the Customer in fulfilling data subject rights requests:

  • Access: Providing data subject access to their personal data
  • Rectification: Correcting inaccurate or incomplete data
  • Deletion: Deleting personal data ("Right to be Forgotten")
  • Restriction: Restricting processing in certain circumstances
  • Portability: Providing data in a machine-readable format
  • Objection: Objecting to processing for specific purposes

5. Security Measures

VyBeing implements appropriate technical and organizational measures:

Technical Measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication
  • Regular security testing and vulnerability assessments
  • Intrusion detection and prevention systems
  • Secure software development practices

Organizational Measures

  • Role-based access controls
  • Employee confidentiality agreements
  • Regular security training
  • Incident response procedures
  • Business continuity and disaster recovery plans

6. Sub-processors

Authorized Sub-processors

Customer authorizes VyBeing to engage the following sub-processors:

  • Amazon Web Services (AWS): Cloud hosting and infrastructure
  • Google Cloud Platform: Cloud services and analytics
  • Stripe: Payment processing
  • SendGrid: Email delivery services
  • Intercom: Customer support platform

Sub-processor Obligations

  • VyBeing ensures sub-processors are bound by data protection obligations equivalent to this DPA
  • VyBeing remains liable for sub-processor compliance
  • Customer will be notified of new sub-processors with 30 days notice
  • Customer may object to new sub-processors during the notice period

7. Data Breach Notification

In the event of a personal data breach:

  • VyBeing will notify Customer without undue delay (within 72 hours of discovery)
  • Notification will include nature of breach, affected data categories, and mitigation measures
  • VyBeing will cooperate with Customer to investigate and remediate the breach
  • VyBeing will document all breaches and remedial efforts

8. Data Transfers

Cross-border Transfers

Personal data may be transferred to countries outside Israel and the EEA. VyBeing ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by relevant authorities
  • Adequacy decisions recognizing equivalent data protection
  • Binding Corporate Rules where applicable

9. Audits and Compliance

  • Customer may audit VyBeing's compliance with this DPA upon reasonable notice
  • VyBeing will provide necessary information and cooperation
  • Audits shall be conducted no more than once annually unless required by law or breach
  • Customer shall bear audit costs unless significant non-compliance is found

10. Data Retention and Deletion

Retention

  • VyBeing retains personal data only as long as necessary for service provision
  • Retention periods are specified in our Privacy Policy
  • Customer may request earlier deletion subject to legal obligations

Deletion

Upon termination or Customer request, VyBeing will:

  • Delete or return all personal data within 30 days
  • Certify deletion upon Customer request
  • Retain data only as required by law with documented justification

11. Liability and Indemnity

  • Each party is responsible for its own compliance with data protection laws
  • VyBeing is liable for damages caused by processing that violates this DPA
  • Liability is limited as specified in the Terms of Service
  • VyBeing indemnifies Customer for third-party claims arising from VyBeing's breach

12. Term and Termination

  • This DPA remains in effect for the duration of the Terms of Service
  • Provisions regarding data deletion and confidentiality survive termination
  • Either party may terminate if the other materially breaches this DPA

13. Amendments

This DPA may be amended to reflect changes in law or business practices. Material changes require Customer consent or 30 days notice with right to terminate.

Questions?

If you have any questions about this legal document, please contact us:

Email: [email protected]

Address: VyBeing Technologies Ltd., Tel Aviv, Israel

VyBeing | Joyful Employee Experiences